- Threat actors are again targeting a critical vulnerability in SAP Internet Communication Manager six months after security patches were released, according to researchers from Onapsis Research Labs.
- The vulnerability, assigned CVE-2022-22536 with a critical CVSS score of 10, was the most severe in a series found during research into a technique called HTTP response smuggling. The vulnerabilities allow an attacker to gain control of a compromised system and engage in a range of attacks, including theft of sensitive data, ransomware and disruption of mission critical functions.
- The Cybersecurity and Infrastructure Security Agency on Aug. 18 added the vulnerability to its Known Exploited Vulnerabilities Catalog.
Onapsis Researchers, two weeks after presenting an update on the vulnerabilities at Black Hat USA, said they observed a sudden uptick in threat activity targeting the SAP ICMAD vulnerabilities and urged organizations to immediately apply the patch.
The Black Hat presentation included a demonstration as to how to leverage two memory corruption vulnerabilities found in SAP’s proprietary HTTP Server, according to an Onapsis spokesperson. The vulnerabilities, CVE-2022-22536 and CVE-2022-22532, could be exploited remotely and allow an attacker to compromise an SAP installation anywhere.
SAP is used by about 400,000 companies around the world, including about 90% of the Fortune 500.
“The threat remains high due to the criticality of the vulnerability, how widespread the affected protocol is and the initial exposure to the internet,” JP Perez-Etchegoyen, CTO at Onapsis, said via email.
“As a global leader in business software, SAP prioritizes the security of our customers’ data and operates a comprehensive security strategy across the enterprise to ensure secure and reliable software solutions,” SAP said in an emailed statement.
The company said it released a patch for CVE-2022-22536 back in February and recommends customers apply the patch “with immediate effect.”